Bug Description

[SRU justification]
If users install the grub-pc package on a machine booted under Secure Boot, the system will still be bootable but there will be avoidable package upgrade errors when installing a new version of the shim-signed package. We should ensure that UEFI users don't accidentally get their package system into a wedged state, by ensuring shim-signed pulls in the necessary efi grub package as a dependency and calls grub-install in a way that works reliably even when grub-pc has been installed.

[Test case]
1. Install on a machine that boots using UEFI.
3. Install the grub-pc package.
4. Upgrade to the shim-signed package from -updates.
5. Verify that the upgrade fails.
6. Install the shim-signed package from -proposed.
7. Verify that the upgrade succeeds.

[Regression potential]
Minimal. The --target=x86_64-efi option to grub-install is supported in all relevant versions, and adding it explicitly should not cause any failures in scenarios where the shim-signed package is currently working.

Upgrade from 13.04 to 13.10 broke off.
Warning about possibly unusable system appeared.

* Pass --target=x86_64-efi to grub-install from the postinst and depend on
grub-efi-amd64-bin, so that package upgrades will do the right thing
even if the system has been rebooted under BIOS. LP: #1246910.
* Kubuntu sets GRUB_DISTRIBUTOR to a different value which doesn't match
the path under /boot/efi; fix this up so shim-signed upgrades properly
on Kubuntu systems. LP: #1242417.
-- Steve Langasek <email address hidden> Thu, 31 Oct 2013 17:06:21 -0700

It's good to see this problem has been taken care of. Still, "dpkg -s shim-signed" tells me I am using 1.3, not 1.5, and apt-get tells me I am using the latest version. At least my system booted despite the interrupted update from 13.04 to 13.10 but I do not know how up-to-date it is. Update-manager today gave me a general failure message but finds no more pending updates when I re-run it.

When I run apt-get upgrade I get the following (it is partly in Esperanto and partly in German; I try to give a translation):

Aisano, this bug has been fixed in trusty, but it still needs to be copied to stable releases. There should be a message posted to this bug with information on how to help verify it once that process starts.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

* Pass --target=x86_64-efi to grub-install from the postinst and depend on
grub-efi-amd64-bin, so that package upgrades will do the right thing
even if the system has been rebooted under BIOS. LP: #1246910.
* Kubuntu sets GRUB_DISTRIBUTOR to a different value which doesn't match
the path under /boot/efi; fix this up so shim-signed upgrades properly
on Kubuntu systems. LP: #1242417.
-- Steve Langasek <email address hidden> Fri, 08 Nov 2013 10:47:35 -0800

* Pass --target=x86_64-efi to grub-install from the postinst and depend on
grub-efi-amd64-bin, so that package upgrades will do the right thing
even if the system has been rebooted under BIOS. LP: #1246910.
* Kubuntu sets GRUB_DISTRIBUTOR to a different value which doesn't match
the path under /boot/efi; fix this up so shim-signed upgrades properly
on Kubuntu systems. LP: #1242417.
-- Steve Langasek <email address hidden> Thu, 07 Nov 2013 10:29:43 -0800

* Pass --target=x86_64-efi to grub-install from the postinst and depend on
grub-efi-amd64-bin, so that package upgrades will do the right thing
even if the system has been rebooted under BIOS. LP: #1246910.
* Kubuntu sets GRUB_DISTRIBUTOR to a different value which doesn't match
the path under /boot/efi; fix this up so shim-signed upgrades properly
on Kubuntu systems. LP: #1242417.
-- Steve Langasek <email address hidden> Fri, 08 Nov 2013 10:36:26 -0800

* Pass --target=x86_64-efi to grub-install from the postinst and depend on
grub-efi-amd64-bin, so that package upgrades will do the right thing
even if the system has been rebooted under BIOS. LP: #1246910.
* Kubuntu sets GRUB_DISTRIBUTOR to a different value which doesn't match
the path under /boot/efi; fix this up so shim-signed upgrades properly
on Kubuntu systems. LP: #1242417.
-- Steve Langasek <email address hidden> Fri, 08 Nov 2013 10:45:25 -0800

-h, --help print this message and exit
-v, --version print the version information and exit
--root-directory=DIR install GRUB images under the directory DIR instead of the root directory
--grub-shell=FILE use FILE as the grub shell
--no-floppy do not probe any floppy drive
--force-lba force GRUB to use LBA mode even for a buggy BIOS
--recheck probe a device map even if it already exists

INSTALL_DEVICE can be a GRUB device name or a system device filename.

grub-install copies GRUB images into the DIR/boot directory specfied by
--root-directory, and uses the grub shell to install grub into the boot
sector.

-h, --help print this message and exit
-v, --version print the version information and exit
--root-directory=DIR install GRUB images under the directory DIR instead of the root directory
--grub-shell=FILE use FILE as the grub shell
--no-floppy do not probe any floppy drive
--force-lba force GRUB to use LBA mode even for a buggy BIOS
--recheck probe a device map even if it already exists

INSTALL_DEVICE can be a GRUB device name or a system device filename.

grub-install copies GRUB images into the DIR/boot directory specfied by
--root-directory, and uses the grub shell to install grub into the boot
sector.